-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Reference: CERT-EU Security Advisory 2011-0027
Title: Unspecified vulnerability in Adobe Flash Player 11.1.102.55 [1][2]
Version history:
09.12.2011 Initial publication
Summary
=======
Adobe Flash Player 11.1.102.55 on Windows and Mac OS X is prone to remote attacks by execution of arbitrary code via a crafted SWF file.
CVE-2011-4693
CVE-2011-4694
Severity Level[3]: CVSS2 Base 9.3
Remote Yes
Local No
Credibility Vendor Not Confirmed
Ease Exploit Available
Authentication Not Required
Potential impact
================
An attacker can craft a special SWF file which when loaded by the target user, will execute arbitrary code on the target system.
1. An attacker crafts a malicious file to leverage this problem.
2. The attacker may use email or other means to distribute the malicious file and to entice an unsuspecting user to open it.
3. When the file is processed, the attacker's code runs with the target user's privileges.
Vulnerable Systems
==================
Among others:
Operating Systems which run Flash Player
What can you do?
================
Solutions:
At the time of writing we are not aware of any vendor-supplied patches. We shall send an update when we are aware that any patches have been released. If you feel that this is not correct or if you are aware of more recent information
please share with us.
Workarounds:
Do not accept or execute files that originate from unfamiliar or untrusted sources.
Execise caution and be wary of links to sites that are provided by unfamiliar or suspicious sources.
Implement memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segment as these may mitigate the risk by complicating exploits of memory-corruption vulnerabilities.
Ensure minimal access rights are granted when running software.
Monitor network traffic for signs of anomalous or suspicious activities.
What to tell your users?
========================
Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious
emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution.
More information
================
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4693
[2] https://www.redhat.com/security/data/cve/CVE-2011-4694.html
[3] CVSS details:
CVSS Version 2 Scores
CVSS2 Base 9.3
CVSS2 Temporal Undefined
CVSS2 Base Vector AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS2 Temporal Vector Undefined
More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html
Best regards,
CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39
iQJXBAEBAgBBBQJO4flTOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4N0Zg/+MsnCfQif
+f822ckKjAa9mzNphGYdwEfxWuFTPKiPh2vfMhIc4yPKxQs3YCfXFGlEHvU8mGl0
AdJpJ/irJ6J5t7HswAn7B61j1F/QhshlcIUWPo3JJ8zLJnF84BQl5yL9KuSbqu/o
22raGXlpc85eg3ABupSVk5NPeGOwc98Bbc3g/fctH5teICorJeW4YAqwcSRa7SOZ
h/GC/9MeVxMNt4m6l+YN2ymEylsA0LuK6lGvI5ISzRdiul5xf2xJGIWu3cTR1d0t
NmggwWI3xTdPBeVshWzNji72c9ieJzaqZNpVuvuU2DX21WwLhkN5EA92XitHYoQX
SpNed+GtX4v/U1O/fe+W/vTGJV5wm6o/OMeiqLLoD7K1/RSjftv5bhF6AgscIWBx
W4uyFE+iQr6ZZo6X9ujGVMZmG+MwVYP8i53VwpQovK0LSlVnMYBHWurqFyJokr3j
fUrjwiAE77QtWlRDhPq7sKcb/8lEGCjeFvTfKG23VtgJaDmP/Z/qzWqpLRVU2imd
d51Y7JBuPuC+4l+1QDuy4D/Xp/uhwCvOxEmSWFO7hb9UNcBc4XtTPF4GaTwrZHBK
50DB36HxZ4FFzkWQicGthQCV9rMPYxAXmLT59/7v0YNvgVDvK9IdFET8UHFEfhcp
xlm4LdjOBqxnL0/qF8nLgdHm6XohGAR08hM=
=eUvZ
-----END PGP SIGNATURE-----